git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 2 Oct 2025 13:00:06 +0000 (15:00 +0200)
committer	Florian Westphal <fw@strlen.de>
	Wed, 8 Oct 2025 11:17:31 +0000 (13:17 +0200)
commit	a126ab6b26f107f4eb100c8c77e9f10b706f26e6
tree	13420e69f470d2b62ba396fd89ebeea4650be7ad	tree \| snapshot
parent	bbf0c98b3ad9edaea1f982de6c199cc11d3b7705	commit \| diff

selftests: netfilter: nft_fib.sh: fix spurious test failures

Jakub reports spurious failure of nft_fib.sh test.
This is caused by a subtle bug inherited when i moved faulty ping
from one test case to another.

nft_fib.sh not only checks that the fib expression matched, it also
records the number of matches and then validates we have the expected
count.  When I did this it was under the assumption that we would
have 0 to n matching packets.  In case of the failure, the entry has
n+1 matching packets.

This happens because ping_unreachable helper uses "ping -c 1 -w 1",
instead of the intended "-W".  -w alters the meaning of -c (count),
namely, its then treated as number of wanted *replies* instead of
"number of packets to send".

So, in some cases, ping -c 1 -w 1 ends up sending two packets which then
makes the test fail due to the higher-than-expected packet count.

Fix the actual bug (s/-w/-W) and also change the error handling:
1. Show the number of expected packets in the error message
2. Always try to delete the key from the set.
   Else, later test that makes sure we don't have unexpected keys
   in there will always fail as well.

Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/netfilter-devel/20250927090709.0b3cd783@kernel.org/
Fixes: 98287045c979 ("selftests: netfilter: move fib vrf test to nft_fib.sh")
Signed-off-by: Florian Westphal <fw@strlen.de>